SCR CAC reader for Leopard

I, too, had this working in 10.5.2, and it's broken in 10.5.3.

To get the CAC reader to work in 10.5.2, I upgraded the firmware on the reader and installed the updated MacOS drivers (5.0.4) from SCM, and installed libusb 1.12 to get the drivers to load correctly. Then I could use CAC sites with Safari.

In 10.5.3, the card reader driver still loads correctly (per the Console), and my CAC credentials show up in Keychain Access. But when I try to access a CAC-enabled site, Safari just sits and spins until it gives up, saying "the server is not responding".

Is this possibly some Safari configuration issue after the 10.5.3 update?

I found that I had to reinstall the OS and upgrade to 10.5.2...no problems now.

10.5.4 has fixed this for me. Safari can read my certs off of the card reader again.

I upgraded to 10.5.4 last night, bo luck here. I can see my CAC in Keychain Access, but Safari doesn't seem to recognize it. Attempting a CAC login to AKO brings up a window saying:

To view this page, you need to log in to area “cac-reg” on akocac.us.army.mil:443.

It then asks for a name and password instead of my PIN. I've tried my AKO and system info with no luck.

The card/reader combo works great in an Ubuntu 8.04 VM.

Anyone able to log into AKO with their CAC?

Cheers,

Andreas

Similar results here with 10.5.4 - keychain no longer crashes when I create a new preference for the certificates on my card, but I'm still unable to access NMCI (navy) webmail. I have had partial luck with other .mil sites with 10.5.4, but really only need webmail access. Using Keychain, I can validate the certificates on the card at the webmail site and everything is good, but Safari is still not working.

Not fixed for me. Keychain sees the CAC and Certs (just like before) but Safari is not accessing the CAC card.

I am very disappointed. CAC was working fine in all respects under 10.5.2. The upgrade to 10.5.3 was a disaster - the x509 Certificates were made obsolete and not replaced - just x509 Anchors now. I ripped out 10.5.3, reinstalled 10.5.2, turned on the x509 Anchors in Keychain, and the CAC worked perfectly.

Now comes 10.5.4, supposedly with fixes to allow for smart cards to work again. No such luck - suddenly Safari no longer prompts me for my CAC password, even though Keychain recognizes the card.

Apple - what the @#$%^?

Guess I have to erase/reinstall 10.5.2 AGAIN, which means all the new functionality of the latest upgrades will not work, just so I can read my idiotic e-mail.

If anyone knows how to solve this in 10.5.4 once and for all, please post.

10.5.4 did not work for me. Still not getting prompted for PIN after surfing to any CAC-requiring site. Worked great up until 10.5.3 upgrade. Apple, please fix!

Same issue - guess I should have been more specific.

Have enabled x509 Anchors in Keychain for the Mac OS X System. Keychain sees my CAC (reader working fine), but the prompt for my password never appears - when trying to navigate to my webmail site, the authentication is not recognized and I am denied access to the site.

10.5.2 worked great...and worked great again after I erased 10.5.3 and reinstalled 10.5.2. I may be doing that again very soon....

After a lot of discussion with a helpful tech at Apple, and a lot of trial and error, I restored partial CAC functionality to my Mac running 10.5.4 and Safari 3.1.2. I am now able to get into my webmail at the Pentagon, but am not yet able to log into AF Portal using the CAC option - but I think I can with a little more troubleshooting.

Bottom Line Up Front (BLUF): You need to activate the X509 Anchors, then create an Identity Preference in your login keychain using your CAC, before you will be able to log into webmail.

This is a work-around technique, which allows you to get to your webmail. The CAC functionality is restored to the level I had in 10.5.2, but does not "fix" Safari. The tech at Apple promised to take this information back to the Safari developers and try to really solve the problem, namely that Safari does not seem to look for the CAC keychain without being told to allow specific urls.

Background: The CAC reader was working fine. A CAC is a keychain of certificates and keys. These show up in "Keychain Access". If you have issues with the CAC reader working, google "CAC on a Mac", and several links will discuss flashing the CAC reader, etc. This technique assumes your CAC reader is working and reading your CAC just fine.

I also had to erase my hard drive in order to get Safari upgraded to the latest version. I have no idea why this was necessary, but it could have been a problem with my hard drive. If your software versions upgraded properly to the latest ones (10.5.4 and Safari 3.1.2), then continue below. Otherwise, I recommend you solve those problems first.

1. Open "Keychain Access". (For troubleshooting purposes, I suggest dragging an image of Keychain Access into the dock so you can get to it faster.)

2. Make sure the keychain entitled "X509 Anchors" is in your keychain list. If it is not, look for it through Keychain Access by going through File/Add Keychain. The X509 Anchors are in Finder/(Your HD)/Library/Keychains. If you can't add the X509 Anchor keychain through Keychain Access, then go to the file itself, copy it, and paste the copy into Finder/(Home folder)/Library/Keychains.

3. Enable the X509 Anchors through "Keychain Access". Go to Keychain Access/Edit/Keychain List, then check the box for X509 Anchors under "User" and "Mac OS X System".

4. Connect your CAC reader, and insert your card. The card should appear as a keychain on the left-hand side, with a name like "CAC-1234-5678-9123-4567-XYZ3" or some such. Select this keychain in the left-had side window.

5. Immediately under the stoplight buttons, click on the padlock icon to unlock the CAC keychain. You should be prompted for your password - this is your CAC password, not your computer's password.

6. You should see three certificates and three private keys. Select one of the certificates and right-click (CTRL-click) over it - then select "Get info" from the menu. Two of the certificates and two of the keys have the word "e-mail" in the "Issued By" section of the Info window, and one does not. Find the one that does not have "E-mail" in the "Issued By" section. It should be named something like "DOD CLASS 3 CA-5".

7. Close the info window. Go back and single-click this certificate in Keychain Access, then right-click on it again, and select "New Identity Preference" from the menu. The prompt next requires you type the EXACT url address of the website you need to access, then select "Add". (In my case, it was https://webmail.hq.af.mil/Exchange). This builds a preference in your "login" keychain.

8. As a precaution, reset Safari, then type in the same url into the address window, and hit return. This should allow you access to the website from which you can see/send webmail. You can also bookmark this address once you are where you want to be, so in future you can just insert your CAC, click the bookmark, type in your CAC password, and get your webmail.


That's it. Good luck, fellow DOD Mac enthusiasts.

I was really hoping your workaround would do the trick. Unfortunately, I have no x509 anchors keychains in the library/keychain folder. Looks like I'll be doing webmail in my VMWare windows installation for a while.

Keep looking. They are included with Mac OS X. It took me a while to find them, and they do not seem to show up on Spotlight, but they are there.

Try looking for the X509 Anchors in System/Library/Keychains.

Got Safari working with NMCI webmail (Exchange server) and my CAC. Thanks to Shawn at Apple Enterprise Div. for his post in the Fed-Talk List.

Okay, here's what worked for me. Assuming your card reader works (certs appear in Keychain) - you have to create a preference for -all three- of the certificates that appear in Keychain with your card inserted.

1. Open Keychain (Applications\Utililities\Keychain Access)

2. Locate and select the CAC keychain associated with your card in left column of the Keychain window. Mine appears as "CAC-xxxx-xxxx-xxxx-xxxx".

3. Observe that when you selected that keychain, all the certificates and keys on your card are listed on the right side of the Keychain window. There are 3 certificates, one each for ID, Email Signing, and Email Encryption.

4. Right-click on the first certificate and select "New Identity Preference" from the popup list.

5. In the resulting dialog box, enter the url of your server (i.e., "https://webmail.xxx.mil"), and click the Add button.

6. Repeat step 5 for the remaining two certificates on your CAC keychain, using the same URL.

After I created preferences for all three certs (I previously had only done it for the ID cert, without success), I was able to use Safari and access my mail server like before in Leopard 10.5.2.

This is what I did - hope it works for you.

This worked for me. I can now access webmail using my CAC like before the 10.5.3/4 update.